Remote & Branch Networking Fundamentals #AirheadsConf Italy

Remote and Branch Networking Fundamentals

June 9-14, 2014

CONFIDENTIAL

© Copyright 2014. Aruba Networks, Inc.

All rights reserved2 #AirheadsConf

Agenda

• Challenges of Deploying Remote networks

• Aruba Solution

• Aruba Instant

• Aruba Instant for Private WAN based Deployments

• Aruba Instant-VPN

• Management and Zero-Touch Deployment

Challenges of Deploying Remote Networks

4CONFIDENTIAL


All rights reserved#AirheadsConf

Who should care?

Branch office / Remote teleworker

Retail

Healthcare

5CONFIDENTIAL



Challenges

Aruba Solution

7CONFIDENTIAL



Aruba Solution

Home Office On The RoadBranch

Datacenter

AirWave Aruba Mobility Controller ClearPass Access Management

Instant-VPN

Mobility Switch

Instant Cluster

Virtual Intranet

Access (VIA) Client

Internet / WAN

Instant Cluster

Management and Zero-Touch Deployment

9CONFIDENTIAL



Internet

Airwave and Aruba Central

Campus Network

Aruba Central Aruba AirWave

Data Center

• Advanced guest services

• Mobile device onboarding

• Unified wired/wireless policy

Airwave

ClearPas

s

Mobility

Switch

10CONFIDENTIAL



Aruba Activate: Zero-touch Deployment

Aruba Instant

12CONFIDENTIAL



Aruba Instant

• Redundancy for internal failure

• Redundancy for external failure

• Organic growth

• Mobility-ready

• RF optimization

• Master AP selection

• Over-the-air provisioning

• WiFi oriented configuration

Simple to deploy

Self-optimizing

Self-healing

Scalable

13CONFIDENTIAL



Aruba Instant Architecture

• Distributed data-plane

– Wireless encryption / decryption, firewall

• Distributed control-plane

– Authentication, DHCP, ARM, WIPS

• Centralized (local) management-plane

– Configuration, firmware management, GUI, SNMP

14CONFIDENTIAL



Automatic RF Management

Infrastructure control

• Automatic RF optimization for coverage & capacity

• Real-time spectrum analysis and interference avoidance

• Load / Application awareness

• Self-healing

Channel 11

Channel 6

Channel 1

Client Control

• Moves clients towards less congested frequency band

• Distributes clients across available spectrum*

• Bandwidth controls

15CONFIDENTIAL



Security tailored for Mobility

Context Aware

On-boarding

Role-based access

Policy Enforcement

• Aruba RFProtect + AirWave RAPIDS• RF Scanning, Rogue AP detection / containment, Valid-station protection

• Encryption• Over-the-air AES encryption, IPSec VPN to datacenter (where applicable)

• Role-based Access• Per-user, per-device access

• Policy Enforcement Firewall• Segregation of business traffic from guest traffic.

• Blacklisting for session violation

• Centralized Monitoring and Alerting

16CONFIDENTIAL



• No need for separate SSID for QoS.

• Session based DSCP tagging & prioritization

• Multicast-to-unicast conversion for video

• Media-classification for encrypted voice –Apple Facetime

• AirGroup* to manage Apple AirPlay, AirPrint, etc

Mobility Services: Real-time Applications

Clear

Pass

IAP

IAP IAP

17CONFIDENTIAL



Mobility Services: Guest Access

• Securely Manage Visitor Access

– Streamlined workflow; No IT

• Sponsored-based, Visitor Self-Registration, Pre-registration,

Anonymous Guest Access

• 3rd Party Integrations

• APIs for integration with existing applications / CRM tools

– Assignable roles, expiration times, user names, passwords

• Highest Customization

– Skin technology, software plugins, APIs

– Targeted advertising and content delivery

Private WAN based Deployments

19CONFIDENTIAL



Private-WAN based Deployments

20CONFIDENTIAL



Private-WAN based Deployments

21CONFIDENTIAL



Auto-GRE for Guest

Branch office

Datacenter

AirWave ClearPass

Instant Cluster

VRRP Link

Master Standby

Guest Anchor

Master ActiveServers

MPLS

Employee Traffic

Guest Traffic

Aruba Instant-VPN

23CONFIDENTIAL



Datacenter

AirWave/Aruba

Central Aruba Mobility ControllerClearPass solution

Internet / WAN

VRRP Link

Master Standby

DMZ

Master Active

Home Office

Instant

Home office Solution

Home Office

Instant

24CONFIDENTIAL



Branch Office Solution

Branch office

Datacenter

AirWave/Aruba

Central Aruba Mobility ControllerClearPass solution

Instant Cluster

Internet / WAN

VRRP Link

Master Standby

DMZ

Master Active

Branch office

Instant Cluster

25CONFIDENTIAL



DHCP - How does Distributed L3 work ?

Network 10.0.0.0/8

VLANs 10 to 99

Data Center

Remote Branch

Internet /

WAN

Active

VPN

Tunnel

Client A

Browsing to

Intranet

Browsing to

Youtube

Route on IAP –

For 10.0.0.0/8 network, next

hop is VPN terminating

controller’s IP address

Master IAP Memeber IAP

Client B

Browsing to

Intranet

Browsing to

Youtube

VLAN 250

IAP-VC is the

DHCP Server

DHCP

Request

VC SRC NATs traffic using IAPs local IPVC routes the traffic to the

tunnel

Intranet

26CONFIDENTIAL



DHCP - How does Centralized L2 work ?

Network 10.0.0.0/8

VLANs 10 to 99

Data Center

Remote Branch

Internet /

WAN

Active

VPN

Tunnel

Client A

Browsing to

Intranet

Browsing to

Youtube

Route on IAP –




Master IAP Member IAP

Client B

Browsing to

Intranet

Browsing to

Youtube

VLAN 50

DHCP

Request

VC SRC NATs traffic using IAPs local IPVC bridges traffic in the

tunnel

VLAN 50

DHCP Server and

Default Gateway

Intranet

27CONFIDENTIAL



DHCP - How does Local Subnet work ?

Intranet

Network 10.0.0.0/8

VLANs 10 to 99

Data Center

Remote Branch

Internet /

WAN

Active

VPN

Tunnel

Client A

Browsing to

Intranet

Browsing to

Youtube

Route on IAP –




Master IAP Slave IAP

Client B

Browsing to

Intranet

Browsing to

Youtube

VLAN 200

IAP-VC is the

DHCP Server

DHCP

Request

VC SRC NATs traffic using IAPs local IPVC SRC NATs traffic using

inner IP

28CONFIDENTIAL



Recommendations

IAP-VPN Modes Usage Recommendations

Distributed L3 Recommended for all deployments.

Local Recommended for Guest networks with centralized captive portal

servers.

Centralized L2 Recommended only if Multicast to branch is a requirement. If

Multicast to branch networks is not required, use L3 modes.

Aruba Instant-VPN Design Options

31CONFIDENTIAL



Single AP deployments

32CONFIDENTIAL



Single AP deployments

33CONFIDENTIAL



Multi-AP deployments

34CONFIDENTIAL



Multi-AP deployments

35CONFIDENTIAL


All rights reserved

Thank You

#AirheadsConf

41CONFIDENTIAL



42CONFIDENTIAL


All rights reserved

Thank You

#AirheadsConf

Remote & Branch Networking Fundamentals #AirheadsConf Italy

Technology

aruba raps

corporate network

wireless access solution

securing network access

multisite networks

home wifi network

solution architecture

home office user